NII Avineon India VAPT Report

EXTERNAL NETWORK
VULNERABILITY ASSESSMENT
AND
PENETRATION TEST REPORT
FOR
AVINEON INDIA
FROM
Vulnerability Assessment And
AVINEON INDIA
Penetration Testing Report
CONTENTS
1 EXECUTIVE SUMMARY .....................................................................................................................5
1.1 SUMMARY ......................................................................................................................................5

1.2 OBJECTIVE ......................................................................................................................................5
1.3 DURATION ......................................................................................................................................5
1.4 APPROACH ......................................................................................................................................6
1.5 SCOPE OF WORK ..............................................................................................................................7
1.6 TYPE OF ASSESSMENT SELECTED BY AVINEON INDIA...............................................................................8
1.7 STANDARDS AND FRAMEWORK FOLLOWED .............................................................................................9
1.8 SUMMARY OF FINDINGS .................................................................................................................. 10
1.9 TABULAR SUMMARY ....................................................................................................................... 11
1.10 GRAPHICAL SUMMARY ..................................................................................................................... 11
1.11 SEVERITY RATING ........................................................................................................................... 12
1.12 EASE OF EXPLOITATION .................................................................................................................... 13
2 TECHNICAL REPORT .......................................................................................................................14
2.1 NETWORK SECURITY TESTING ............................................................................................................ 14

2.1.1 SMTP OPEN RELAY ................................................................................................................................ 14
2.1.2 UNENCRYPTED TELNET SERVER ................................................................................................................. 16
2.1.3 UNSUPPORTED VERSION OF WINDOWS SERVER 2003 ................................................................................. 18
2.1.4 OLDER VERSION OF INTERNET INFORMATION SERVICE (IIS) .......................................................................... 20
2.1.5 CLEAR TEXT SERVICES.............................................................................................................................. 22
2.1.6 POODLE VULNERABILITY ........................................................................................................................ 24
2.1.7 CCS INJECTION VULNERABILITY................................................................................................................. 27
2.1.8 MULTIPLE SSL ISSUES ............................................................................................................................. 29
2.1.9 INTERNAL IP DISCLOSURE ........................................................................................................................ 36
2.1.10 INTERNET KEY EXCHANGE (IKE) AGGRESSIVE MODE WITH PRE-SHARED KEY .................................................. 37
2.1.11 VERSION DISCLOSURE ........................................................................................................................... 39
2.2 PORT SCAN STATUS......................................................................................................................... 41
3 APPENDIX .....................................................................................................................................42
Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 43

AVINEON INDIA
DOCUMENT DETAILS
DOCUMENT VERSION CONTROL
Document Title External Vulnerability Assessment And Penetration Testing Report
Document Id NII//AVINEON//Oct15
Prepared By Shubham Jain
Reviewed By Vikash Tiwari
Approved By Jaideep Patil
Effective Date November 6, 2015
DOCUMENT SUBMISSION DETAILS

Date November 6, 2015
Classification Confidential
Document Type External Vulnerability Assessment And Penetration Testing Report
Submitted To Surya Gubbala
Address 1st Floor, Block A, Cyber Gateway, HITEC City, Madhapur, Hyderabad,
Telangana 500081
Contact Number +91-9440124875
E-Mail surya.gubbala@avineonindia.com
Sr. No. Name Organization Purpose

1. Shubham Jain Network Intelligence Document Preparation
2. Vikash Tiwari Network Intelligence Document Review
3. Jaideep Patil Network Intelligence Document Approval
4. Surya Gubbala Avineon India Document Appraisal and Acceptance

AVINEON INDIA
NOTICE
This document contains information which is the intellectual property of Network Intelligence (India) Pvt.
Ltd. (also called NII Consulting). This document is received in confidence and its contents cannot be
disclosed or copied without the prior written consent of NII Consulting.
Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. NII Consulting
disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness
for a particular purpose; merchantability; non infringement of intellectual property or other rights of any
third party or of NII Consulting; indemnity; and all others. The reader is advised that third parties can have
intellectual property rights that can be relevant to this document and the technologies discussed herein,
and is advised to seek the advice of competent legal counsel, without obligation of NII Consulting.
NII Consulting retains the right to make changes to this document at any time without notice. NII
Consulting makes no warranty for the use of this document and assumes no responsibility for any errors
that can appear in the document nor does it make a commitment to update the information contained
herein.
COPYRIGHT
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.
TRADEMARKS
Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners' benefit, without intent to infringe.
Name Shubham Jain

Title Security Analyst
Company Network Intelligence (India) Pvt. Ltd.
Address 204 Eco Space, Off Old Nagardas Road, Andheri (East), Mumbai 400069
Tel. No +91-22-2839-2628
Mobile No +91-8588818141
E – Mail shubham.jain@niiconsulting.com

AVINEON INDIA
1 EXECUTIVE SUMMARY
1.1 SUMMARY
AVINEON INDIA had assigned Network Intelligence (I) Pvt. Ltd. the task of carrying out an internal network
vulnerability assessment and penetration test activity on the given set of IP addresses, as included in the
scope of work.
1.2 OBJECTIVE
The purpose of the assessment was to determine and exploit security vulnerabilities in the given set of IP
addresses listed in the scope. The tests were carried out assuming the identity of an inside attacker or a
disgruntled employee with malicious intent. Due care was taken not to harm the servers as requested.
1.3 DURATION
This assessment was performed from 30th October – 4th November 2015. The detailed report about each
task and our findings are described below.

AVINEON INDIA
1.4 APPROACH
1. Performed broad scans to identify potential areas of exposure and services

2. Performed targeted scans and manual investigation to validate vulnerabilities
3. Identified components to gain access
4. Identified and validated vulnerabilities
5. Ranked the vulnerabilities based on threat level, loss potential, and likelihood of exploitation
6. Identified issues of immediate consequence and recommended solutions
7. Developed long-term recommendations to enhance security
8. Transferred knowledge through this report
Develop thorough Plan

for testing
Ensure continuous
improvement by Conduct
conducting periodic Reconnaissance
assessments
Develop strategy to
enhance security Perform scanning
posture
Document findings
& gather proof-of-
concepts at all the
stages
Recommend solutions Conduct manual testing
Prioritize and rank Identify & validate

vulnerabilities vulnerabilities
Try and gain access by

exploiting the
vulnerability

AVINEON INDIA
1.5 SCOPE OF WORK
The scope of this assessment was limited to the IP addresses mentioned below:
Sr. No. IP Addresses

1 175.101.4.226
2 175.101.4.227
3 175.101.4.231
4 175.101.4.232
5 175.101.4.233
6 175.101.4.234
7 175.101.4.235
8 175.101.4.236
9 175.101.4.237
10 175.101.4.238
11 175.101.4.239
12 175.101.4.240
13 175.101.4.241
14 175.101.4.242
15 175.101.4.243
16 175.101.4.244
17 175.101.4.245
18 175.101.4.246
19 175.101.4.247
20 175.101.4.248
21 175.101.4.249

AVINEON INDIA
1.6 TYPE OF ASSESSMENT SELECTED BY AVINEON INDIA.
Sr. Type of Description As applicable and

No. Penetration Test selected by
approach AVINEON INDIA
1 Black-Box In this approach we only know the IP addresses at the client Yes
Assessment infrastructure. Enumeration of technologies, mapping of the
services and determining security vulnerabilities and different
entrance for attackers are all part of this exercise.
2 Penetration Penetration Test focuses on identifying vulnerabilities that are Yes
Testing identified during the vulnerability assessment phase and exploiting
the same to provide the impact of the same.
3 Vulnerability Vulnerability Assessment is the process of identifying, quantifying, Yes
Assessment and prioritizing the vulnerabilities of the components of IT
infrastructure.

AVINEON INDIA
1.7 STANDARDS AND FRAMEWORK FOLLOWED

1. The Open Source Security Testing Methodology Manual (OSSTMM)
2. National Institute of Standards and Technology (NIST)

AVINEON INDIA
1.8 SUMMARY OF FINDINGS
Following table summarizes the list of findings discovered during the project:
Sr. No. Title Severity Rating Ease of Exploitation

1 Default Credentials HIGH EASY
2 SMTP Open Relay HIGH EASY
3 Unsupported Version Of Windows Server 2003 HIGH DIFFICULT
4 Older version of IIS HIGH DIFFICULT
5 Clear Text Services MEDIUM MODERATE
6 POODLE Vulnerability MEDIUM DIFFICULT
7 CCS Injection Vulnerability MEDIUM DIFFICULT
8 Multiple SSL Issues MEDIUM DIFFICULT
9 Information Disclosure MEDIUM DIFFICULT
10 Internal IP Disclosure LOW DIFFICULT
11 Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared LOW DIFFICULT
Key
12 Version Disclosure LOW DIFFICULT

AVINEON INDIA
1.9 TABULAR SUMMARY

The following table summarizes the System’s Vulnerability Assessment:
Category Description
Systems Vulnerability Assessment Summary
IP Addresses 21
Vulnerabilities found 12
Severity Vulnerabilities 4 5 3
VUL NERA BI LITY S U M MA RY
1.10 GRAPHICAL SUMMARY
Overall Vulnerability Graph

Total number of vulnerabilities discovered
10
6
5
4 HIGH
4 MEDIUM
3
2 LOW
0
HIGH
MEDIUM
LOW

AVINEON INDIA
1.11 SEVERITY RATING
This rating is reserved for system vulnerabilities that will result in serious impact to the organization.
Depending on the criticality of the system, risks of this magnitude could represent a financial impact or
damage customer and partner relationships.
HIGH
It is imperative that efforts be undertaken immediately to mitigate the vulnerabilities in this category. All
‘High’ severity levels are defined by the following examples:
(Potential) Trojan Horses

(Potential) Backdoor
File Read and Writes Exploit
Remote Command Execution
Database Access
Denial of Service
MEDIUM
Medium threats are defined by some of the following examples:
Denial of Service
Unencrypted protocol access
Disclosure of server details
Application errors
LOW
Low threats are defined by some of the following examples:
Services enabled with a past history of security flaws
Limited exploit of read
Directory browsing
Information Disclosure
Old software
General security recommendations
OBSERVATION
These issues represent a very low level of security threat. These issues include minor information leakage,
unnecessary services or legacy protocols that provide no real threat to security.

AVINEON INDIA
1.12 EASE OF EXPLOITATION
Ease of exploitation refers to the complexity and effort required by an attacker to successfully exploit an
uncovered vulnerability during a penetration test. Facilities that accelerate the use of exploitation
comprise discoverability of the vulnerable element and the availability of free or easy-to-use tools to
exploit it. These factors provide a great leverage for an attacker to craft a targeted attack against an
information asset and hence increase the impact of the issue as it can be more easily exploited.
Ease of exploitation thus depends on the following factors:

1. Time
2. Access rights
3. Resource availability
4. Presence of compensating controls
Based on these factors, the severity of ease of exploitation can be classified as Easy, Moderate or Difficult
defined as follows:
EASY
The ease of exploitation is stated as Easy, when there is a public exploit available and the exploitable
element is easily discoverable – i.e. without authentication. This exploit may require no or very little
modification to successfully compromise the target system. Absence of compensating controls makes the
ease of exploitation quite straightforward in this case.
MODERATE
The ease of exploitation is stated as Moderate, when the time required by an attacker is substantially
more and he has very little or restricted access rights to the targeted resource. The exploits (if available),
has to be customized considerably in order for successful infiltration. This poses a significant challenge for
an attacker. Presence of compensating controls requires innovative ways to be subverted or bypassed
cleverly for the successful exploitation.
DIFFICULT
The ease of exploitation is stated as Difficult, when the resources required to exploit the vulnerability are
very high. Most likely, there is no publicly available exploit and the vulnerable element is accessible only
after authentication. Also, additional compensating controls such as a WAF or reduced access rights make
exploitation even more difficult. To subvert them, the attacker needs to fully utilize his skills; requiring
dedicated time for planning and execution, thereby making the exploitation very challenging and difficult.

AVINEON INDIA
2 TECHNICAL REPORT
2.1 NETWORK SECURITY TESTING
2.1.1 SMTP OPEN RELAY

SEV ERITY
HIGH
EA SE O F EXP LO IT A T IO N
EASY
A F F E C T E D IP
175.101.4.233:25[TCP]
175.101.4.234:25[TCP]
ANALYSIS
During the analysis it was observed that remote host was vulnerable to open relay attack. Please see the
below screenshots:
FIG U R E 1- MA N UAL T ES TI N G F O R O P E N RELA Y
IMP A CT
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to
send e-mail through it, not just mail destined to or originating from known users.

AVINEON INDIA
RECOMMENDATION
Follow the steps provided by Kerio Support to properly configure and mitigate this vulnerability, please
see the provided reference below
REFER ENCE
CVE-1999-0512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0512
How to configure Kerio mail server

http://kb.kerio.com/product/kerio-connect/server-configuration/services/configuring-the-smtp-server-
1167.html

AVINEON INDIA
2.1.2 UNENCRYPTED TELNET SERVER

SEV ERITY
HIGH
MODERATE
A F F E C T E D IP
175.101.4.226:23[TCP]
ANALYSIS
It was observed during the analysis that Telnet server transmits traffic in clear text.
FIG U R E 2 : U N EN C R YP T ED T EL N ET S ER V ER
F I G U R E 3 : T EL N ET C R ED E N T I A LS IN W I R ES H A RK
IMP A CT
Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in clear text. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet
session to obtain credentials or other sensitive information and to modify traffic exchanged between a
client and server.

AVINEON INDIA
RECOMMENDATION
We strongly suggest, either implement encryption or disable the Telnet service and use SSH’s latest
version i.e. SSH version 2 instead.
REFER ENCE
Implementing Encryption in Telnet
http://www.cs.cmu.edu/~droh/755/encr_telnet.html
Secure Server Shell

http://www.openssh.com/

AVINEON INDIA
2.1.3 UNSUPPORTED VERSION OF WINDOWS SERVER 2003

SEV ERITY
HIGH
DIFFICULT
A F F E C T E D IP
175.101.4.236
175.101.4.245
ANALYSIS
During analysis, we identified that the remote host appears was running Microsoft Windows Server 2003.
Support for this operating system by Microsoft ended July 14th, 2015.
F I G U R E 4 : W I N D O W S S E R V E R 2003
IMP A CT
Lack of support implies that no new security patches for the product will be released by the vendor. As a
result, it is likely to contain security vulnerabilities. Furthermore, Microsoft is unlikely to investigate or
acknowledge reports of vulnerabilities.
RECOMMENDATION
It is highly recommended that latest vendor supported OS such as Windows Server 2008 or Windows
Server 2012 should be deployed.
REFER ENCE
Microsoft’s Official Announcement
https://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/
Microsoft Windows Server 2008

AVINEON INDIA
https://www.microsoft.com/en-in/download/details.aspx?id=5023
Microsoft Windows Server 2012

https://www.microsoft.com/en-in/server-cloud/products/windows-server-2012-r2/purchasing.aspx

AVINEON INDIA
2.1.4 OLDER VERSION OF INTERNET INFORMATION SERVICE (IIS)

SEV ERITY
HIGH
DIFFICULT
A F F E C T E D IP
175.101.4.231:80[TCP]
175.101.4.232:80[TCP]
175.101.4.239:80[TCP]
175.101.4.244:80[TCP]
175.101.4.245:80[TCP]
ANALYSIS
During analysis, we identified that the remote host was running Microsoft IIS 6.0 and 7.5. which are the
older versions and are vulnerable to significant level severity.
F I G U R E 5 :I I S V E R S I O N 7.5
Following server’s running vulnerable versions of IIS:

175.101.4.231: IIS 7.5
175.101.4.232: IIS 7.5
175.101.4.239: IIS 7.5
175.101.4.244: IIS 7.5
175.101.4.245: IIS 7.5

AVINEON INDIA
IMP A CT
The older versions of IIS i.e. version 6.0 and 7.5 are vulnerable to high severity security flaws such as
Denial of Service, Buffer Overflow and etc.
RECOMMENDATION
It is highly recommended that IIS version 8.5 or the latest version i.e. 10 should be deployed.
REFER ENCE
Microsoft IIS 6.0 vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-
13492/Microsoft-IIS-6.0.html
Microsoft IIS 7.5 vulnerabilities

https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-
92758/Microsoft-IIS-7.5.html
Microsoft IIS 8.5

http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2
Microsoft IIS 10
http://www.iis.net/learn/get-started/whats-new-in-iis-10
https://www.microsoft.com/en-us/download/details.aspx?id=48264

AVINEON INDIA
2.1.5 CLEAR TEXT SERVICES

SEV ERITY
MEDIUM
MODERATE
A F F E C T E D IP
175.101.4.233:110[TCP]
ANALYSIS
During analysis, we found that POP version 3 was running on port 110. which allowed credentials to be
transmitted in clear text.
FIG U R E 6 : CR ED EN T IA LS EN T ER ED
F I G U R E 7 : U S E R N A M E C A P T U R ED I N C L EA R T EX T IN W I R ES H A RK

AVINEON INDIA
F I G U R E 8 : P A S S W O RD C A P T U R E D I N C L E A R T E X T IN W I R E S H A R K
IMP A CT
An attacker may eavesdrop on the communication and obtain sensitive information, which may include
the credentials used for POP3 communications.
RECOMMENDATION
It is strongly suggested that encrypt POP3 traffic with SSL / TLS using stunnel.
REFER ENCE
Threats from using clear-text protocols internally
https://www.solutionary.com/resource-center/blog/2010/11/clear-text-is-fineits-internal/
Clear-text Transmission of Sensitive Information

https://cwe.mitre.org/data/definitions/319.html
Securing Kerio
http://kb.kerio.com/product/kerio-connect/server-configuration/security/securing-kerio-connect-
1239.html

AVINEON INDIA
2.1.6 POODLE VULNERABILITY

SEV ERITY
MEDIUM
DIFFICULT
A F F E C T E D IP
SSLv3 POODLE Vulnerability:
175.101.4.226:443[TCP]
175.101.4.227:443[TCP]
175.101.4.246:443[TCP]
175.101.4.247:443[TCP]
TLS POODLE Vulnerability:

175.101.4.227:443[TCP]
ANALYSIS
During analysis, we determined that the remote servers supportedSSLv2 and/or SSLv3 with at least one
CBC cipher suite, indicating that this server was vulnerable.
Additionally, it appeared that TLSv1 or newer was supported on the servers. However, the Fallback SCSV
mechanism was not supported which allowed connections to be "rolled back" to SSLv3.
F I G U R E 9 : S H O W S S E R V E R V U L N E R A B L E T O P OO DLE

AVINEON INDIA

During analysis, we determined that the remote servers supported TLSv1.0 which did not verify block
cipher padding when using a cipher suite that employs a block cipher such as AES and DES.
F I G U R E 10 :S H O W S S E R V E R I S V U L N E R A B L E T O TLS P O O D L E
IMP A CT
A MiTM [Man-in-the-Middle] attacker can decrypt a selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0
connections.

If an attacker is able to carry out MITM attacks, it is possible to decode encrypted traffic and allow an
attacker to read the intercepted traffic.
RECOMMENDATION
Following are the recommendations:
1. Disable SSLv3 on the system and use TLS version 1.2
2. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can
be disabled.

Following are the recommendations:
1. Disable TLSv1.0 on the system and use one of the TLS versions i.e. versions 1.1 and 1.2.
REFER ENCE
POODLE Attacks on SSLv3
https://www.imperialviolet.org/2014/10/14/poodle.html
POODLE Attack on TLS

https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
CVE-2014-3566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
Steps to enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled

AVINEON INDIA
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

AVINEON INDIA
2.1.7 CCS INJECTION VULNERABILITY

SEV ERITY
MEDIUM
DIFFICULT
A F F E C T E D IP
175.101.4.226:443[TCP]
ANALYSIS
During the analysis it was observed that the host was vulnerable to CCS Injection vulnerability.
F I G U R E 11 : S H O W S CCS I N J E C T I O N
IMP A CT
This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while
forcing SSL clients to use weak keys which are exposed to the malicious nodes. Because both of servers
and clients are affected by this vulnerability
RECOMMENDATION
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users
(client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should
upgrade to 1.0.1h. Please refer to the link provided in the reference.
REFER ENCE
CVE-2014-0224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

AVINEON INDIA
CCS Injection Vulnerability overview and remediation

http://ccsinjection.lepidum.co.jp/

AVINEON INDIA
2.1.8 MULTIPLE SSL ISSUES

SEV ERITY
MEDIUM
DIFFICULT
A F F E C T E D IP
SSL RC4 Cipher Suites Supported:
175.101.4.246:443[TCP]
175.101.4.247:443[TCP]
SSL Self Signed Certificate:

175.101.4.226:443[TCP]
175.101.4.227:443[TCP]
175.101.4.233:443[TCP]
175.101.4.246:443 [TCP]
175.101.4.247:443[TCP]
SSL Certificate Signed Using Weak Hashing Algorithm:

175.101.4.226:443[TCP]
175.101.4.227:443[TCP]
175.101.4.233:443[TCP]
SSL/TLS Renegotiation Handshake MitM Plaintext Data Injection:

175.101.4.226:443[TCP]
SSL version 2 and SSL version 3 supported:

175.101.4.226:443[TCP]
175.101.4.227:443[TCP]
175.101.4.246:443[TCP]
175.101.4.247:443[TCP]
ANALYSIS
SSL RC4 Cipher Suites Supported
During analysis we identified that the remote hosts supported the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

AVINEON INDIA
F I G U R E 12 : SSL R C4 C I P H E R S U I T E S U P P O R T E D
SSL Self Signed Certificate

During analysis, we found that the certificates associated with the aforementioned IP addresses were self-
signed.

AVINEON INDIA
F I G U R E 13 : SSL S E L F S I G N E D C E R T I F I C A T E
SSL Certificate Signed Using Weak Hashing Algorithm

It was observed during analysis that certificate chain has been signed using a weak hash algorithm.

AVINEON INDIA
F I G U R E 14 :S S L C E R T I F I C A T E S I G N E D W I T H W E A K H A S H I N G A L G O R I T H M
SSL/TLS Renegotiation Handshake MitM Plaintext Data Injection

During analysis, it was observed remote service allows insecure renegotiation of TLS / SSL connections.

AVINEON INDIA
F I G U R E 15 : C L I E N T I N I T I A T E D R E N E G O T I A T I O N

During analysis, it was observed that remote service encrypts traffic using a protocol with known
weaknesses such as POODLE.
F I G U R E 16 : SSL V E R S I O N 3

AVINEON INDIA
F I G U R E 17 : SSL V E R S I O N 2
IMP A CT
If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens
of millions) cipher-texts, the attacker may be able to derive the plaintext.

Since the remote host is publicly hosted, this nullifies the use of SSL and could lead man-in-the-middle
attack against the remote host.

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the
connection after the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of
plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle
attacks if the service assumes that the sessions before and after renegotiation are from the same 'client'
and merges them at the application layer.

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle
attacks or to decrypt communications between the affected service and clients.

AVINEON INDIA
RECOMMENDATION
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Purchase or generate a proper certificate for this service from recognized certificate authority.

Contact the Certificate Authority to have the certificate reissued with stronger hashing algorithm such as
SHA-256.

Contact the vendor for specific patch information.
SSL version 2 and SSL version 3 supported

NIST has determined that SSL 2.0 & 3.0 is no longer acceptable for secure communications. Disable SSL
version 2 and SSL version 3. Use TLS 1.1 (with approved cipher suites) or higher instead.
REFER ENCE
Attacking SSL when using RC4
http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

https://en.wikipedia.org/wiki/Self-signed_certificate

http://thehackernews.com/2014/02/98-of-ssl-enabled-websites-still-using.html

https://www.digicert.com/news/2011-06-03-ssl-renego.htm
SSL version 2 and SSL version 3 supported

https://en.wikipedia.org/wiki/Transport_Layer_Security

AVINEON INDIA
2.1.9 INTERNAL IP DISCLOSURE

SEV ERITY
LOW
DIFFICULT
A F F E C T E D IP
175.101.4.245:80 [TCP]
ANALYSIS
During analysis, we were able to identify IP addresses disclosed while enumerating port 80. This might be
an internal IP address, as reflected below in screenshot,
F I G U R E 18 : I N T E R N A L IP A D D R E S S D I S C L O S E D
IMP A CT
Based on the revealed IP address an attacker can map out the internal IP address schema and spoof an IP
address in the same range to avoid detection.
RECOMMENDATION
Prevent this information from being displayed to the user.

AVINEON INDIA
2.1.10 INTERNET KEY EXCHANGE (IKE) AGGRESSIVE MODE WITH PRE-SHARED KEY
SEV ERITY
LOW
DIFFICULT
A F F E C T E D IP
175.101.4.227:500[UDP]
ANALYSIS
It was observed that the Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode
with Pre-Shared key (PSK) authentication.
F I G U R E 19 : A G G R E S S I V E M O D E E N A B L ED
IMP A CT
When a VPN is configured to use a pre-shared master secret and a client attempts to negotiate keys in
aggressive mode, a hash of the secret is transmitted across the network in clear-text. This may result in
the hash being leaked to eavesdroppers or malicious clients. An offline brute-force attack on this hash may
then be performed to obtain the clear-text secret.
RECOMMENDATION
Below are some recommendations:
 Disable Aggressive Mode.
 Do not use Pre-Shared key for authentication if it's possible.
 If using Pre-Shared key cannot be avoided, use very strong keys.

AVINEON INDIA
REFER ENCE
Paper on IKE Aggressive Scan
http://www.giac.org/paper/gcih/541/vpn-aggressive-mode-pre-shared-key-brute-force-attack/104625
Brief explanation of the attack

https://www.ernw.de/download/pskattack.pdf
Advisory on the vulnerability

http://www.securityfocus.com/bid/7423

AVINEON INDIA
2.1.11 VERSION DISCLOSURE

SEV ERITY
LOW
DIFFICULT
A F F E C T E D IP
175.101.4.231:80[TCP]
175.101.4.232:80[TCP]
175.101.4.239:80[TCP]
175.101.4.243:80[TCP]
175.101.4.244:80[TCP]
175.101.4.245:80[TCP]
175.101.4.248:80[TCP]
ANALYSIS
During analysis it was found that the web servers discloses ASP.NET and Microsoft IIS versions as the
response to server request. ASP.NET version 2.0 & 4.0, Microsoft IIS Server version 6.0, 7.5 and 8.5 were
disclosed. Please see the below screenshot,
F I G U R E 20 : V E R S I O N D I S C L O S U R E
IMP A CT
Information disclosure in HTTP Response Header and Error Messages reveals sensitive data, such as
technical details of the web server, environment, or user-specific data.
Sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its
users. This helps an attacker to launch target specific attacks.

AVINEON INDIA
RECOMMENDATION
To Fix IIS version information
1) Download URLScan Security Tool from the link mentioned in the reference below. Install it
thereafter.
2) Stop the IISAdmin service.
3) Navigate to ‘Urlscan’ folder (default location: %systemroot%\System32\Inetsrv\Urlscan)
4) Open the Urlscan.ini file in Notepad or WordPad.
5) Locate & modify the entry “RemoveServerHeader=0” to “RemoveServerHeader=1”.
6) Save this file.
7) Start the IISAdmin service
To fix the ASP.NET information disclosure

Apply the following changes to your web.config file to prevent information leakage by using custom error
pages and removing X-AspNet-Versionfrom HTTP responses.
<System.Web>
<httpRuntime enableVersionHeader="false" />
</System.Web>
REFER ENCE
Download URLScan from
http://www.iis.net/download/urlscan
Mask IIS Version Information from Network Trace and Telnet

http://support.microsoft.com/kb/317741
Disable IIS 7.5 Banner Information

http://niiconsulting.com/checkmate/2012/10/disable-iis-7-5-banner-version/

AVINEON INDIA
2.2 PORT SCAN STATUS
For this engagement, the list of IP addresses mentioned in the scope were scanned. The attached files
which are sent along with the report contain the port scanning results for this test.
The listed ports which appear to be open on the server are displayed in the HTML file, alongside the port
number, service that usually runs on those ports as well as the banner displayed by the service.
Please refer to the attached HTML file for port scanning results.

AVINEON INDIA
3 APPENDIX
Type of Penetration Description
Testing Approach
Here, we only know the URL of the website. Enumeration of technologies, mapping of
the website, identification of fault injection points, determining input validation
Black Box Approach
vulnerabilities, or logical security vulnerabilities, and the OWASP top 10 attacks are all
part of this exercise.
Often enough, a web application involves authentication and authorization components.
In order to be able to test these, we request for a dummy user account with the least
Grey Box Approach level of privileges within the application. Using this account, we are able to log in and
test for various flaws in the authentication scheme, as well as attempt to escalate our
privileges and bypass authorization restrictions.
Isa Penetration Test technique in which a list of telephone numbers are called to search
War Dialing for computers, systems and fax machines. The purpose is to gain as much as business
critical data as possible with the help of this technique.
Wireless hacking is done to gather all loopholes possible in an organization’s wireless
Wireless Hacking infrastructure. This is done with an intention to gain unauthorized access and to try and
exploit as much as resources available.
Controls can be put on systems and devices but same does not hold true for the objects
using these systems (employees/temporaries). Social Engineering is the method by
which all the hackers try and get the confidential and business critical information by
Social Engineering
using various techniques. This test focuses on exploiting and finding out all the possible
loopholes pertaining to this domain so that your organization is geared up to face social
engineering attacks in real life.
War driving can be carried to test the range and strength of your organization’s wireless
War Driving network’s signal. This will help to gauge the extent of the threat exposure area for your
organization.
Traditional Penetration Testing approach only focuses on the technical vulnerabilities.
But Business Risk based approach not only focuses on the technical vulnerabilities but
also on the risks presumed to the business of AVINEON INDIA. First, test cases pertaining
Business Risk Based
to the business threat model are developed and Penetration test is carried out focusing
Approach
majorly on the cases. This method has many advantages over the traditional Penetration
Test methodology. And one of the biggest advantages it has is that of being business
focused.
Source code review focuses on detecting the vulnerabilities early in the Software
Development Life Cycle (SDLC) such as Dataflow attacks, Cross Site Scripting (XSS),
Source Code Review Injection (SQL, File, XPATH, reflection, etc.), File Inclusion/execution and Information
Leakage. This methodology will help AVINEON INDIA to close the loopholes during the
development and testing phase.
Many organizations secure their organization from outside threats but leave their
internal network security comparatively weak. And it has been proved over and over
Internal Penetration
again that the organization’s security was compromised from within the network.
Testing
Internal Penetration Test focuses on identifying these loopholes and recommending
solutions to make the internal network secure to thwart internal threats and attacks.
Vulnerability Assessment is the process of identifying, quantifying, and prioritizing the
Vulnerability Assessment
vulnerabilities of the components of IT infrastructure.

AVINEON INDIA
As applications move to the Web, into a server based environment, it becomes

increasingly important to be able to gauge the performance and load capability of an
Stress Testing application. Stress testing involves testing the web-application’s ability to handle the
load/stress resulting from increase in hits, which maybe a result of sudden change
affecting the AVINEON INDIA’s business activity directly.
A very serious and significant threat that web applications face is from DoS attacks. In
this attack the attacker sends so many packets to a web site that it cannot service the
legitimate users that are trying access it. This leads to denial of service to the legitimate
users, thus affecting the business directly. So, assessment needs to be carried out to
check for AVINEON INDIA’s preparedness to face such an attack.

NII Avineon India VAPT Report

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

NII Avineon India VAPT Report

Caricato da

Copyright:

Formati disponibili

EXTERNAL NETWORK

1.1 SUMMARY ......................................................................................................................................5

2 TECHNICAL REPORT .......................................................................................................................14

2.1 NETWORK SECURITY TESTING ............................................................................................................ 14

Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 43

DOCUMENT SUBMISSION DETAILS

Sr. No. Name Organization Purpose

Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 43

Name Shubham Jain

Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 43

Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 43

1. Performed broad scans to identify potential areas of exposure and services

Develop thorough Plan

Recommend solutions Conduct manual testing

Prioritize and rank Identify & validate

Try and gain access by

Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 43

1.5 SCOPE OF WORK

Sr. No. IP Addresses

Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 43

1.6 TYPE OF ASSESSMENT SELECTED BY AVINEON INDIA.

Sr. Type of Description As applicable and

Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 43

1.7 STANDARDS AND FRAMEWORK FOLLOWED

Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 43

1.8 SUMMARY OF FINDINGS

Sr. No. Title Severity Rating Ease of Exploitation

Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 43

1.9 TABULAR SUMMARY

VUL NERA BI LITY S U M MA RY

1.10 GRAPHICAL SUMMARY

Overall Vulnerability Graph

Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 43

1.11 SEVERITY RATING

(Potential) Trojan Horses

Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 43

1.12 EASE OF EXPLOITATION

Ease of exploitation thus depends on the following factors:

Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 43

2.1.1 SMTP OPEN RELAY

FIG U R E 1- MA N UAL T ES TI N G F O R O P E N RELA Y

Confidential  Network Intelligence (India) Pvt. Ltd. Page 14 of 43

How to configure Kerio mail server

Confidential  Network Intelligence (India) Pvt. Ltd. Page 15 of 43

2.1.2 UNENCRYPTED TELNET SERVER

Confidential  Network Intelligence (India) Pvt. Ltd. Page 16 of 43

Secure Server Shell

Confidential  Network Intelligence (India) Pvt. Ltd. Page 17 of 43

2.1.3 UNSUPPORTED VERSION OF WINDOWS SERVER 2003

Microsoft Windows Server 2008

Confidential  Network Intelligence (India) Pvt. Ltd. Page 18 of 43

Microsoft Windows Server 2012

Confidential  Network Intelligence (India) Pvt. Ltd. Page 19 of 43

2.1.4 OLDER VERSION OF INTERNET INFORMATION SERVICE (IIS)

Following server’s running vulnerable versions of IIS:

Confidential  Network Intelligence (India) Pvt. Ltd. Page 20 of 43

Microsoft IIS 7.5 vulnerabilities

Microsoft IIS 8.5

Confidential  Network Intelligence (India) Pvt. Ltd. Page 21 of 43

2.1.5 CLEAR TEXT SERVICES

Confidential  Network Intelligence (India) Pvt. Ltd. Page 22 of 43

Clear-text Transmission of Sensitive Information

Confidential  Network Intelligence (India) Pvt. Ltd. Page 23 of 43